Closed Bug 1300817 Opened 8 years ago Closed 8 years ago

nsWindowWatcher::OpenWindowInternal() can read OriginAttributes off of the system principal

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla51
Tracking Flags:
Tracking Status
firefox51 --- fixed

People

(Reporter: ehsan.akhgari, Assigned: ehsan.akhgari)

References

Details

Attachments

(1 file)

Avoid inheriting the origin attributes of the subject principal if it's expanded
(deleted), patch
bzbarsky
: review+
Details | Diff | Splinter Review
See <http://searchfox.org/mozilla-central/source/embedding/components/windowwatcher/nsWindowWatcher.cpp#1118> This is definitely the wrong thing to do for expanded principals, as demonstrated by bug 1297687. It is also the wrong thing to do with the system principal. Since this code can run from the scriptable nsIWindowWatcher.openWindow(), it can cause bugs with add-ons calling it from such principals mentioned above.
Comment on attachment 8788959 [details] [diff] [review] Avoid inheriting the origin attributes of the subject principal if it's expanded That doesn't address subjectPrincipal being system. Why is that ok? r=me with that explained.
Attachment #8788959 - Flags: review?(bzbarsky) → review+
Err, it's not OK. I meant to do that in a separate patch for easier bisectability but I forgot. Sorry! :/ Filed as bug 1301201.
See Also: → https://bugzilla.mozilla.org/show_bug.cgi?id=1301201
Pushed by eakhgari@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/fdfb1d87051b Avoid inheriting the origin attributes of the subject principal if it's expanded; r=bzbarsky
https://hg.mozilla.org/mozilla-central/rev/fdfb1d87051b
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox51: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
Assignee: nobody → ehsan
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: